Restrict authorization of global admins to prevent data corruption

References biigle/core#331

src/Policies/AnnotationCandidatePolicy.php

@@ -24,7 +24,9 @@ class AnnotationCandidatePolicy extends CachedPolicy
      */
     public function before($user, $ability)
     {
-        if ($user->can('sudo')) {
+        $only = ['access'];
+
+        if ($user->can('sudo') && in_array($ability, $only)) {
             return true;
         }
     }

src/Policies/MaiaJobPolicy.php

@@ -22,7 +22,9 @@ class MaiaJobPolicy extends CachedPolicy
      */
     public function before($user, $ability)
     {
-        if ($user->can('sudo')) {
+        $except = ['update'];
+
+        if ($user->can('sudo') && !in_array($ability, $except)) {
             return true;
         }
     }

src/Policies/TrainingProposalPolicy.php

@@ -23,7 +23,9 @@ class TrainingProposalPolicy extends CachedPolicy
      */
     public function before($user, $ability)
     {
-        if ($user->can('sudo')) {
+        $only = ['access'];
+
+        if ($user->can('sudo') && in_array($ability, $only)) {
             return true;
         }
     }

tests/Policies/AnnotationCandidatePolicyTest.php

@@ -34,7 +34,7 @@ public function testUpdate()
         $this->assertTrue($this->editor()->can('update', $this->annotation));
         $this->assertTrue($this->expert()->can('update', $this->annotation));
         $this->assertTrue($this->admin()->can('update', $this->annotation));
-        $this->assertTrue($this->globalAdmin()->can('update', $this->annotation));
+        $this->assertFalse($this->globalAdmin()->can('update', $this->annotation));
     }
 
     public function testAttachLabel()
@@ -70,8 +70,8 @@ public function testAttachLabel()
         $this->assertFalse($this->admin()->can('attach-label', [$this->annotation, $disallowedLabel]));
         $this->assertFalse($this->admin()->can('attach-label', [$this->annotation, $otherDisallowedLabel]));
 
-        $this->assertTrue($this->globalAdmin()->can('attach-label', [$this->annotation, $allowedLabel]));
-        $this->assertTrue($this->globalAdmin()->can('attach-label', [$this->annotation, $disallowedLabel]));
-        $this->assertTrue($this->globalAdmin()->can('attach-label', [$this->annotation, $otherDisallowedLabel]));
+        $this->assertFalse($this->globalAdmin()->can('attach-label', [$this->annotation, $allowedLabel]));
+        $this->assertFalse($this->globalAdmin()->can('attach-label', [$this->annotation, $disallowedLabel]));
+        $this->assertFalse($this->globalAdmin()->can('attach-label', [$this->annotation, $otherDisallowedLabel]));
     }
 }

tests/Policies/MaiaJobPolicyTest.php

@@ -30,7 +30,7 @@ public function testUpdate()
         $this->assertTrue($this->editor()->can('update', $this->job));
         $this->assertTrue($this->expert()->can('update', $this->job));
         $this->assertTrue($this->admin()->can('update', $this->job));
-        $this->assertTrue($this->globalAdmin()->can('update', $this->job));
+        $this->assertFalse($this->globalAdmin()->can('update', $this->job));
     }
 
     public function testDestroy()

tests/Policies/TrainingProposalPolicyTest.php

@@ -32,6 +32,6 @@ public function testUpdate()
         $this->assertTrue($this->editor()->can('update', $this->annotation));
         $this->assertTrue($this->expert()->can('update', $this->annotation));
         $this->assertTrue($this->admin()->can('update', $this->annotation));
-        $this->assertTrue($this->globalAdmin()->can('update', $this->annotation));
+        $this->assertFalse($this->globalAdmin()->can('update', $this->annotation));
     }
 }